Operation Cloud Hopper Targets Managed IT Service Providers and Their Clients

A widespread campaign known to be targeting managed service providers (MSPs) in at least fourteen countries has been tied to the group known as APT10 and is thought to be operating out of China. These are the conclusions of a new report published this week by PwC UK and BAE Systems.

As always with such reports, attribution is down to the weight of circumstantial evidence. The authors detail historical evidence that leads towards APT10, and domain registration timing evidence that suggests operation from within China's timezone. The authors do not suggest that APT10 is state-controlled, but they paint a picture that invites a conclusion that it is at least state-sponsored.

Part of the historical evidence includes an overlap in malware used in attacks previously attributed to APT10. The group is believed to have primarily used Poison Ivy before switching to PlugX; and used both for a period of about nine months. From around mid-2016 it started to 're-tool' and is now using PlugX, ChChes, Quasar and RedLeaves.

The authors describe a campaign that uses well-researched spear-phishing to first compromise MSPs. From here they obtain legitimate credentials to access the MSPs' client networks that align to APT10's targeting profile -- which the authors claim aligns with China's current five-year plan (FYP) for economic growth.

Once on the target network, the attacker moves laterally to locate specific data of interest. This is collected and compressed before being moved back to the MSP and finally sent to a server under the attackers' control. This is a classic supply-chain attack, similar in concept to the iconic Target breach. Organizations are generally getting better at their own security but remain slack over the security of their suppliers -- in this case, their MSPs.

"It is fundamental for organizations to come to terms with the fact that raising their own security posture is essential but not sufficient," warns Donato Capitella, senior security consultant at MWR InfoSecurity; "especially if they are then willing to interweave their IT systems with third parties whose security posture is insufficient. Organizations have to mandate higher security standards if they do not want to see all of their security investment undermined by trivial security mistakes on behalf of their partners. At the same time, third parties that can demonstrably step up their security game will become preferred over time and will undoubtedly have a higher chance to win important contacts in the future.?"

The question over whether the US and UK accords with China over economic espionage is now defunct is posed, but not answered by the study. The US and UK are only two of fourteen countries affected, so they are not specifically targeted. It is MSPs in all of those countries that are the targets; and we are not told of any specific client organizations breached.

The two accords specify 'economic espionage'; political espionage is still acceptable in both directions. It is perfectly possible, if not likely, that MSPs compromised in America and Britain have not been used for economic gain. Without further information from the authors, we simply do not know.

It is likely that the attackers are the group known as APT10, and it is likely that they are based in China -- but unambiguous attribution and motivation is not possible based on this report. "Overall," comments Israel Barak, CISO of Cybereason, "the notion that China has decreased its efforts since 2015 to conduct economic espionage is preposterous. China is known for using cutouts and sympathetic agents to collect information on their behalf. China, Russia and other nation states frequently outsource wholesale hacking operations to individual groups and companies. In addition to their government services, these companies contract with, and provide services to, other clients. To do otherwise would greatly devalue the plausible deniability that is one of the major benefits of outsourcing. There are many reasons there is an uptick in outsourcing of operations because countries can rapidly expand capabilities in a short period of time, increase plausible deniability of actions, mitigate risk of detection, gain technical expertise that they cannot recruit directly into the government and decrease overall operational costs."

But whether this indicates the end of the two China accords is a different matter. "The most significant challenge for investigators in the UK or US is tying digital activity to a person and organization in this massive breach or any breach for that matter. In reality, we live in a world where as more and more state-sponsored activity is being conducted by corporations, attribution gets even more difficult. To reiterate, it is too early in this particular instance to determine whether the Cameron-Xi accord was broken or is it simply a case of competitive intelligence and cybercrime that must be dealt with bilaterally between Great Britain and China."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.